ABSTRACT

Computer worms and viruses are a prevalent threat to today's systems and networks. The recent outbreaks have been increasingly more virulent and damaging. The Coral project at CMU aims to develop innovative, network-wide defenses against widespread worm and virus attacks. Our approaches are rooted in one simple principle: understanding the fundamental factors that enable the fast spread of malicious code---these factors include those that are topological and those that are intrinsic to the infection process. We seek to study, model, and analyze these factors, and then to exploit their characteristics to develop original network security technologies. This talk reports the research progress of Coral in its first year. We started our research asking the following questions: a) How will a virus/worm propagate in a real network?, b) Does an epidemic threshold exist for a finite power-law graph (as most real network topologies follow a power-law structure), or any finite graph?, c) Where are the most effective places in the Internet to engineer containment mechanisms? We answer the first question by providing equations that accurately model malicious propagation in an arbitrary network topology. We propose a general epidemic threshold condition that applies to arbitrary graphs: we prove that, under reasonable approximations, the epidemic threshold for a network is indicated by the inverse of the largest eigenvalue of the adjacency matrix. For the third question, we investigated the effect of containment at individual hosts, edge routers, and backbone routers. Our analysis shows that both host and edge-router based containment result in a slowdown (in the spreading rate of the worm) that is linear to the number of hosts (routers) implementing the containment filter. Containment at the backbone routers, however, achieves near exponential slowdown. We are currently studying traces we obtained from Symantec, Akamai, and our own network. Preliminary study revealed interesting traffic patterns that could potentially evade containment mechanisms that operate strictly on limiting outgoing IP addresses. I will discuss our ongoing work in developoing new containment techniques to curb the spread of email and topological worms. Refreshments will be served in the Lounge (Room 224) at 3:00 p.m. Other Recent and Upcoming Colloquia